Btw, i seems to me there's no $ sign in template variables.
On Thu, 14 May 2020 at 15:45, Soham Chakraborty via rsyslog <[email protected]> wrote: > > Hi Rainer and John, > > Here is the complete rsyslog.conf file: > > +++++++++++++++++++ > # rsyslog configuration file > > # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html > # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html > > #### MODULES #### > > # The imjournal module bellow is now used as a message source instead > of imuxsock. > $ModLoad imuxsock # provides support for local system logging (e.g. > via logger command) > $ModLoad imjournal # provides access to the systemd journal > #$ModLoad imklog # reads kernel messages (the same are read from journald) > #$ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > $ModLoad imudp > $UDPServerRun 8514 > > # Provides TCP syslog reception > $ModLoad imtcp > $InputTCPServerRun 8514 > > > #### GLOBAL DIRECTIVES #### > > # Where to place auxiliary files > $WorkDirectory /var/lib/rsyslog > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is > usually not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Turn off message reception via local log socket; > # local messages are retrieved through imjournal now. > $OmitLocalLogging on > > # File to store the position in the journal > $IMJournalStateFile imjournal.state > > > #### RULES #### > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg :omusrmsg:* > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > > # ### begin forwarding rule ### > # The statement between the begin ... end define a SINGLE forwarding > # rule. They belong together, do NOT split them. If you create multiple > # forwarding rules, duplicate the whole block! > # Remote Logging (we use TCP for reliable delivery) > # > # An on-disk queue is created for this action. If the remote host is > # down, messages are spooled to disk and sent when it is up again. > #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > # ### end of the forwarding rule ### > # > > input(type="imtcp" port="8516" ruleset="wlc_logs") > > template(name="wlc_logs" > string="/opt/data/syslog/wlc/%HOSTNAME%/wlc_%$YEAR%-%$MONTH%-%%DAYS%-%$MONTH%-%$DAY%-%$HOUR%.log" > type="string") > > ruleset(name="wlc_logs") { > action( > queue.type="fixedArray" > queue.size="250000" > queue.dequeueBatchSize="4096" > queue.workerThreads="4" > queue.workerThreadMinimumMessages="60000" > type="omfile" > Dynafile="wlc_logs" > dirCreateMode="0755" > dirGroup="splunk" > dirOwner="splunk" > fileCreateMode="0640" > fileGroup="splunk" > fileOwner="splunk" > ) > } > +++++++++++++++++ > > And here is the error: > > +++++++++++++++ > # rsyslogd -N1 > rsyslogd: version 8.24.0-52.el7, config validation run (level 1), > master config /etc/rsyslog.conf > rsyslogd: Option value must be on or off, but is '' [v8.24.0-52.el7] > rsyslogd: Option value must be on or off, but is '' [v8.24.0-52.el7] > rsyslogd: Option value must be on or off, but is '' [v8.24.0-52.el7] > rsyslogd: Option value must be on or off, but is '' [v8.24.0-52.el7] > rsyslogd: Option value must be on or off, but is '' [v8.24.0-52.el7] > rsyslogd: Option value must be on or off, but is '' [v8.24.0-52.el7] > rsyslogd: error during parsing file /etc/rsyslog.conf, on or before > line 98: invalid property '' [v8.24.0-52.el7 try > http://www.rsyslog.com/e/2207 ] > rsyslogd: error during parsing file /etc/rsyslog.conf, on or before > line 98: error processing template object [v8.24.0-52.el7 try > http://www.rsyslog.com/e/2207 ] > rsyslogd: Could not find template 1 'wlc_logs' - action disabled > [v8.24.0-52.el7 try http://www.rsyslog.com/e/3003 ] > rsyslogd: error during parsing file /etc/rsyslog.conf, on or before > line 113: errors occured in file '/etc/rsyslog.conf' around line 113 > [v8.24.0-52.el7 try http://www.rsyslog.com/e/2207 ] > ++++++++++++++++++ > > So we are seeing same error as before. > > Thanks, > > On Thu, May 14, 2020 at 4:58 PM Rainer Gerhards > <[email protected]> wrote: > > > > The problem might be related to the beauty of "unnecessary include > > files" - the problem construct could be in the file that is included > > before this one. > > > > I suggest to take the content of asa.conf and copy&paste it verbatim > > to the spont in rsyslog.conf itself where you want it. At a minimum, > > this makes troubleshooting easier. > > > > Rainer > > > > El mié., 13 may. 2020 a las 12:32, Soham Chakraborty via rsyslog > > (<[email protected]>) escribió: > > > > > > Hi David, > > > > > > Thanks for your input. > > > > > > I am now trying to modify the config to use action() syntax and I > > > think I am getting it wrong. > > > > > > # cat asa.conf > > > input(type="imtcp" port="8514" ruleset="asa_logs") > > > > > > template(name="asa-logs" > > > string="/opt/data/syslog/asa/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > > > type="string") > > > > > > ruleset(name="asa_logs") { > > > action( > > > queue.type="fixedArray" > > > queue.size="250000" > > > queue.dequeueBatchSize="4096" > > > queue.workerThreads="4" > > > queue.workerThreadMinimumMessages="60000" > > > type="omfile" > > > DynaFile="asa-logs" > > > dirCreateMode="0755" > > > fileCreateMode="0640" > > > dirGroup="splunk" > > > dirOwner="splunk" > > > fileOwner="splunk" > > > fileGroup="splunk") > > > } > > > > > > When I run "rsyslogd -N1" it throws me a error in parsing the config > > > file. The errors are: > > > > > > Error during parsing file /etc/rsyslog.d/asa.conf, on or before line > > > 5: invalid property ' ' [rsyslog version try > > > http://rsyslog.com/e/2207] > > > Error during parsing file /etc/rsyslog.d/asa.conf, on or before line > > > 5: error parsing template object [rsyslog version try > > > http://rsyslog.com/e/2207] > > > rsyslogd: Could not find template 1 "asa-logs" - action disabled > > > [rsyslog version try http://rsyslog.com/e/3003] > > > Error during parsing file /etc/rsyslog.d/asa.conf, on or before line > > > 20: errors occurred in file '/etc/rsyslog.d/asa.conf' around line 20 > > > [rsyslog version try http://rsyslog.com/e/2207] > > > > > > What I am getting wrong? Syntactically? > > > > > > Thanks, > > > > > > On Wed, May 13, 2020 at 8:00 AM David Lang <[email protected]> wrote: > > > > > > > > dynafile2 is just a string, so your example using cyberark instead is > > > > valid > > > > > > > > look at the action() syntax rather than having all the $foo lines, the > > > > new > > > > syntax was created to make it far easier to understand. > > > > > > > > you may also want to try the -o filename option when you start rsyslog, > > > > this has > > > > rsyslog write out it's config as it understands it. I believe it writes > > > > it out > > > > in the new syntax, so this may do some of the conversion work for you. > > > > > > > > David Lang > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
